Default and custom security groups
Your Amazon account automatically has a default security group for the default VPC in each Region. If you don't specify a security group when you launch an instance, the instance is automatically associated with the default security group for the VPC. If you don't want your instances to use the default security group, you can create your own custom security groups and specify them when you launch your instances.
Default security groups
Each VPC comes with a default security group. We recommend that you create security groups for specific instances or groups of instances instead of using the default security group. However, if you don't specify a security group when you launch an instance, we associate the instance with the default security group for the VPC.
The name of a default security group is "default". The following are the default rules for a default security group.
Inbound | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Source | Protocol | Port range | Description | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
sg-1234567890abcdef0 |
All | All | Allows inbound traffic from all resources that are assigned to this security group. The source is the ID of this security group. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Outbound | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Destination | Protocol | Port range | Description | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
0.0.0.0/0 |
All |
All |
Allows all outbound IPv4 traffic. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
::/0 |
All |
All |
Allows all outbound IPv6 traffic. This rule is added only if your VPC has an associated IPv6 CIDR block. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Default security group basics
-
You can change the rules for a default security group.
-
You can't delete a default security group. If you try to delete a default security group, we return the following error code:
Client.CannotDelete.
Custom security groups
You can create multiple security groups to reflect the different roles that your instances play; for example, web servers or database servers.
When you create a security group, you must provide it with a name and a description. Security group names and descriptions can be up to 255 characters in length, and are limited to the following characters:
a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*
A security group name cannot start with the following: sg-. A security group name must be unique for the VPC.
The following are the default rules for a security group that you create:
-
Allows no inbound traffic
-
Allows all outbound traffic
After you've created a security group, you can change its inbound rules to reflect the type of inbound traffic that you want to reach the associated instances. You can also change its outbound rules.
For more information about the rules you can add to a security group, see Security group rules for different use cases.